AnyConnect Identity Extensions (ACIDex) for Non-Mobile Platforms

Available Languages

Download Options

  • PDF     (38.5 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (115.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (108.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 28, 2015
Document ID:118944

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes the Cisco AnyConnect Identity Extensions (ACIDex) feature and its introduction for non-mobile platforms.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Adaptive Security Appliance (ASA) 5500-X Series Next Generation Firewall Version 9.2(1)
  • Cisco Adaptive Security Device Manager (ASDM) Version 7.3(1) 
  • Cisco AnyConnect Secure Mobility Client Version 3.1.05152

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information 

The ACIDex, also known as the AnyConnect Endpoint Attributes or Mobile Posture, is the method that is used by the Cisco AnyConnect VPN client in order to communicate posture information to the ASA. The Dynamic Access Polices use these endpoint attributes in order to authorize users.

This table describes the ACIDex attributes, where Cisco AnyConnect is the attribute type (does not require Cisco Secure Desktop or Host Scan) and the endpoint is the attribute source:

Attribute NameValueMaximum String LengthDescription
endpoint.anyconnect.clientversion version AnyConnect client version
endpoint.anyconnect.platform string Operating System (OS) on which AnyConnect client is installed
endpoint.anyconnect.platformversion version 64 Version of OS on which AnyConnect client is installed
endpoint.anyconnect.devicetype string 64 Mobile device type on which AnyConnect client is installed
endpoint.anyconnect.deviceuniqueid   64 Unique ID of mobile device on which AnyConnect client is installed
endpoint.anyconnect.macaddress string Must be in the format xx-xx-xx-xx-xx -xx, where x is a valid hexadecimal character Media Access Control (MAC) address of device on which AnyConnect client is installed

ACIDex Feature for Non-Mobile Platforms

The Cisco AnyConnect VPN client now provides platform identification for the desktop OSs (such as Microsoft Windows, Macintosh OS X, and Linux) and a pool of MAC addresses that can be used by the Dynamic Access Policies (DAPs):

Note: The ASA must run Version 9.0 or later in order for this feature to work correctly, and the 3.x pkg or later must be loaded on the ASA for the non-mobile platform clients that run Version 3.1.05152 or later in order to report the ACIDex attributes.

The MAC address list is included with this feature, as well as the <device-id> element, which uses these three attributes:

  • platform-version
  • device-type
  • unique-id

Note: Aggregate Authentication Version 2 now supports the new elements for the <device-is> tag.

TAC Authored

Contributed by Cisco Engineers

  • Gustavo Medina
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products